AD authentication with dovecot not working.
Hi All,
I am trying to setup AD auth with dovecot and have tried a lot of options but still no success.
I am using a bind account for AD authentication and the users are not posix accounts. I am not using the ssl cert as its not available, so disabling it. I have used the similar settings with saslauthd+postfix and it worked, not sure what am I doing wrong with configurations..
My configuration is as follows:
# dovecot --version 2.3.16 (7e2e900c1a) # dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # OS: Linux 5.14.0-474.el9.x86_64 x86_64 CentOS Stream release 9 # Hostname: mail-centos.example.com auth_mechanisms = plain login first_valid_uid = 1000 listen = * mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service pop3-login { process_limit = 500 } service submission-login { inet_listener submission { port = 587 } } ssl_cert = </etc/ssl/example.com/server.pem ssl_cipher_list = PROFILE=SYSTEM ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
# cat /etc/dovecot/dovecot-ldap.conf.ext uris = ldaps://10.1.85.11 dn = CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com dnpass = xxxxx auth_bind = yes tls_require_cert = never debug_level = 1 ldap_version = 3 base = dc=example,dc=com scope = subtree deref = never user_filter = (&(objectClass=user)(sAMAccountName=%u))
Error logs: dovecot[6600]: auth: Error: ** ld 0x556695138d90 Outstanding Requests: dovecot[6600]: auth: Error: * msgid 2, origid 2, status RequestCompleted dovecot[6600]: auth: Error: outstanding referrals 2, parent count 2 dovecot[6600]: auth: Error: * msgid 3, origid 2, status InProgress dovecot[6600]: auth: Error: outstanding referrals 0, parent count 2 dovecot[6600]: auth: Error: * msgid 5, origid 2, status InProgress dovecot[6600]: auth: Error: outstanding referrals 0, parent count 1 dovecot[6600]: auth: Error: ld 0x556695138d90 request count 3 (abandoned 0) dovecot[6600]: auth: Error: ** ld 0x556695138d90 Response Queue: dovecot[6600]: auth: Error: Empty dovecot[6600]: auth: Error: ld 0x556695138d90 response count 0 dovecot[6600]: auth: Error: ldap_chkResponseList ld 0x556695138d90 msgid -1 all 0 dovecot[6600]: auth: Error: ldap_chkResponseList returns ld 0x556695138d90 NULL dovecot[6600]: auth: Error: ldap_int_select postfix/submission/smtpd[6602]: warning: unknown[10.1.70.75]: SASL LOGIN authentication failed: Connection lost to authentication server postfix/submission/smtpd[6602]: disconnect from unknown[10.1.70.75] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
Attaching the detailed error logs.
saslauthd settings which worked: # cat /etc/saslauthd.conf ldap_servers: ldaps://10.1.85.11 ldap_search_base: dc=wtg,dc=zone ldap_filter: (sAMAccountName=%u) ldap_bind_dn: CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com ldap_password: xxxx ldap_tls_reqcert: never
Regards, Sandeep
Maybe easier to make these users linux users/posix accounts and then authenticate against linux. With nslcd and sssd you also have some caching you can benefit from. I am not even sure if this is related to dovecot or your postfix.
I am trying to setup AD auth with dovecot and have tried a lot of options but still no success.
I am using a bind account for AD authentication and the users are not posix accounts. I am not using the ssl cert as its not available, so disabling it. I have used the similar settings with saslauthd+postfix and it worked, not sure what am I doing wrong with configurations..
My configuration is as follows:
# dovecot --version 2.3.16 (7e2e900c1a) # dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # OS: Linux 5.14.0-474.el9.x86_64 x86_64 CentOS Stream release 9 # Hostname: mail-centos.example.com auth_mechanisms = plain login first_valid_uid = 1000 listen = * mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service pop3-login { process_limit = 500 } service submission-login { inet_listener submission { port = 587 } } ssl_cert = </etc/ssl/example.com/server.pem ssl_cipher_list = PROFILE=SYSTEM ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
# cat /etc/dovecot/dovecot-ldap.conf.ext uris = ldaps://10.1.85.11 dn = CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=c om dnpass = xxxxx auth_bind = yes tls_require_cert = never debug_level = 1 ldap_version = 3 base = dc=example,dc=com scope = subtree deref = never user_filter = (&(objectClass=user)(sAMAccountName=%u))
Error logs: dovecot[6600]: auth: Error: ** ld 0x556695138d90 Outstanding Requests: dovecot[6600]: auth: Error: * msgid 2, origid 2, status RequestCompleted dovecot[6600]: auth: Error: outstanding referrals 2, parent count 2 dovecot[6600]: auth: Error: * msgid 3, origid 2, status InProgress dovecot[6600]: auth: Error: outstanding referrals 0, parent count 2 dovecot[6600]: auth: Error: * msgid 5, origid 2, status InProgress dovecot[6600]: auth: Error: outstanding referrals 0, parent count 1 dovecot[6600]: auth: Error: ld 0x556695138d90 request count 3 (abandoned 0) dovecot[6600]: auth: Error: ** ld 0x556695138d90 Response Queue: dovecot[6600]: auth: Error: Empty dovecot[6600]: auth: Error: ld 0x556695138d90 response count 0 dovecot[6600]: auth: Error: ldap_chkResponseList ld 0x556695138d90 msgid -1 all 0 dovecot[6600]: auth: Error: ldap_chkResponseList returns ld 0x556695138d90 NULL dovecot[6600]: auth: Error: ldap_int_select postfix/submission/smtpd[6602]: warning: unknown[10.1.70.75]: SASL LOGIN authentication failed: Connection lost to authentication server postfix/submission/smtpd[6602]: disconnect from unknown[10.1.70.75] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
Attaching the detailed error logs.
saslauthd settings which worked: # cat /etc/saslauthd.conf ldap_servers: ldaps://10.1.85.11 ldap_search_base: dc=wtg,dc=zone ldap_filter: (sAMAccountName=%u) ldap_bind_dn: CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=c om ldap_password: xxxx ldap_tls_reqcert: never
Hi,
On 11.07.24 03:34, hkhk_exact10 via dovecot wrote:
I am using a bind account for AD authentication and the users are not posix accounts. I am not using the ssl cert as its not available, so disabling it. I have used the similar settings with saslauthd+postfix and it worked, not sure what am I doing wrong with configurations..
My configuration is as follows:
# cat /etc/dovecot/dovecot-ldap.conf.ext uris = ldaps://10.1.85.11 dn = CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com dnpass = xxxxx auth_bind = yes tls_require_cert = never debug_level = 1 ldap_version = 3 base = dc=example,dc=com scope = subtree deref = never user_filter = (&(objectClass=user)(sAMAccountName=%u))
Just a quick look (probably not the only issue but a start)
- maybe a missing
pass_filter = (&(objectClass=user)(sAMAccountName=%u))
? See https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_au... and https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_au...
- dn = <linebreak> comes from mail formatting? If not, strip it: dn = CN=[...]
-- Regards, Andreas Haerter
foundata GmbH Steinhäuserstr. 20 76135 Karlsruhe
Sitz der Gesellschaft: Karlsruhe Registergericht: Amtsgericht Mannheim, HRB 714807 Geschäftsführung: Andreas Haerter USt-IdNr.: DE284122682
Hi All,
Can anyone help me with this?
Regards, Sandeep
On Thu, Jul 11, 2024 at 11:34 AM hkhk_exact10 <hkhkexact@gmail.com> wrote:
Hi All,
I am trying to setup AD auth with dovecot and have tried a lot of options but still no success.
I am using a bind account for AD authentication and the users are not posix accounts. I am not using the ssl cert as its not available, so disabling it. I have used the similar settings with saslauthd+postfix and it worked, not sure what am I doing wrong with configurations..
My configuration is as follows:
# dovecot --version 2.3.16 (7e2e900c1a) # dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # OS: Linux 5.14.0-474.el9.x86_64 x86_64 CentOS Stream release 9 # Hostname: mail-centos.example.com auth_mechanisms = plain login first_valid_uid = 1000 listen = * mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service pop3-login { process_limit = 500 } service submission-login { inet_listener submission { port = 587 } } ssl_cert = </etc/ssl/example.com/server.pem ssl_cipher_list = PROFILE=SYSTEM ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
# cat /etc/dovecot/dovecot-ldap.conf.ext uris = ldaps://10.1.85.11 dn = CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com dnpass = xxxxx auth_bind = yes tls_require_cert = never debug_level = 1 ldap_version = 3 base = dc=example,dc=com scope = subtree deref = never user_filter = (&(objectClass=user)(sAMAccountName=%u))
Error logs: dovecot[6600]: auth: Error: ** ld 0x556695138d90 Outstanding Requests: dovecot[6600]: auth: Error: * msgid 2, origid 2, status RequestCompleted dovecot[6600]: auth: Error: outstanding referrals 2, parent count 2 dovecot[6600]: auth: Error: * msgid 3, origid 2, status InProgress dovecot[6600]: auth: Error: outstanding referrals 0, parent count 2 dovecot[6600]: auth: Error: * msgid 5, origid 2, status InProgress dovecot[6600]: auth: Error: outstanding referrals 0, parent count 1 dovecot[6600]: auth: Error: ld 0x556695138d90 request count 3 (abandoned 0) dovecot[6600]: auth: Error: ** ld 0x556695138d90 Response Queue: dovecot[6600]: auth: Error: Empty dovecot[6600]: auth: Error: ld 0x556695138d90 response count 0 dovecot[6600]: auth: Error: ldap_chkResponseList ld 0x556695138d90 msgid -1 all 0 dovecot[6600]: auth: Error: ldap_chkResponseList returns ld 0x556695138d90 NULL dovecot[6600]: auth: Error: ldap_int_select postfix/submission/smtpd[6602]: warning: unknown[10.1.70.75]: SASL LOGIN authentication failed: Connection lost to authentication server postfix/submission/smtpd[6602]: disconnect from unknown[10.1.70.75] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
Attaching the detailed error logs.
saslauthd settings which worked: # cat /etc/saslauthd.conf ldap_servers: ldaps://10.1.85.11 ldap_search_base: dc=wtg,dc=zone ldap_filter: (sAMAccountName=%u) ldap_bind_dn: CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com ldap_password: xxxx ldap_tls_reqcert: never
Regards, Sandeep
I would check manual binding first with ldap-client:
warning: unknown[10.1.70.75]: SASL LOGIN authentication failed: Connection lost to authentication server
This is not normal and need to be clarified. Maybe the client reject the local certificate or the AD server reject the source from some reason.
On 7/19/24 07:00, hkhk_exact10 via dovecot wrote:
Hi All,
Can anyone help me with this?
Regards, Sandeep
On Thu, Jul 11, 2024 at 11:34 AM hkhk_exact10<hkhkexact@gmail.com> wrote:
Hi All,
I am trying to setup AD auth with dovecot and have tried a lot of options but still no success.
I am using a bind account for AD authentication and the users are not posix accounts. I am not using the ssl cert as its not available, so disabling it. I have used the similar settings with saslauthd+postfix and it worked, not sure what am I doing wrong with configurations..
My configuration is as follows:
# dovecot --version 2.3.16 (7e2e900c1a) # dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # OS: Linux 5.14.0-474.el9.x86_64 x86_64 CentOS Stream release 9 # Hostname: mail-centos.example.com auth_mechanisms = plain login first_valid_uid = 1000 listen = * mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service pop3-login { process_limit = 500 } service submission-login { inet_listener submission { port = 587 } } ssl_cert = </etc/ssl/example.com/server.pem ssl_cipher_list = PROFILE=SYSTEM ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
# cat /etc/dovecot/dovecot-ldap.conf.ext uris =ldaps://10.1.85.11 dn = CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com dnpass = xxxxx auth_bind = yes tls_require_cert = never debug_level = 1 ldap_version = 3 base = dc=example,dc=com scope = subtree deref = never user_filter = (&(objectClass=user)(sAMAccountName=%u))
Error logs: dovecot[6600]: auth: Error: ** ld 0x556695138d90 Outstanding Requests: dovecot[6600]: auth: Error: * msgid 2, origid 2, status RequestCompleted dovecot[6600]: auth: Error: outstanding referrals 2, parent count 2 dovecot[6600]: auth: Error: * msgid 3, origid 2, status InProgress dovecot[6600]: auth: Error: outstanding referrals 0, parent count 2 dovecot[6600]: auth: Error: * msgid 5, origid 2, status InProgress dovecot[6600]: auth: Error: outstanding referrals 0, parent count 1 dovecot[6600]: auth: Error: ld 0x556695138d90 request count 3 (abandoned 0) dovecot[6600]: auth: Error: ** ld 0x556695138d90 Response Queue: dovecot[6600]: auth: Error: Empty dovecot[6600]: auth: Error: ld 0x556695138d90 response count 0 dovecot[6600]: auth: Error: ldap_chkResponseList ld 0x556695138d90 msgid -1 all 0 dovecot[6600]: auth: Error: ldap_chkResponseList returns ld 0x556695138d90 NULL dovecot[6600]: auth: Error: ldap_int_select postfix/submission/smtpd[6602]: warning: unknown[10.1.70.75]: SASL LOGIN authentication failed: Connection lost to authentication server postfix/submission/smtpd[6602]: disconnect from unknown[10.1.70.75] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
Attaching the detailed error logs.
saslauthd settings which worked: # cat /etc/saslauthd.conf ldap_servers:ldaps://10.1.85.11 ldap_search_base: dc=wtg,dc=zone ldap_filter: (sAMAccountName=%u) ldap_bind_dn: CN=s_linux_bind,OU=Global,OU=Services,OU=Accounts,OU=root,DC=example,DC=com ldap_password: xxxx ldap_tls_reqcert: never
Regards, Sandeep
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
participants (4)
-
Andreas Haerter
-
hkhk_exact10
-
Marc
-
Mihai Badici